[DNS] Dnssec severs question

So Comcast has them rolled out now I know that. My router is assigned to obtain them automatically. When I do an ip config on command prompt it says my computer is using the default router ip for the dns. Does this mean my pc is pulling whatever DNs the router is getting from my modem and just listing it as the router ip?

As EG said, your router is likely just acting as a DNS proxy (AKA a DNS forwarding server).

If you really want to know what DNS servers you are using (not just the two IP addresses that are supplied by Comcast's DHCP server), run the DNS Nameserver Spoofability Test at GRC. My Windows DNS server and my routers all forward to the Comcast DNSSEC servers, but that test usually lists ~30 Comcast DNS servers, none of which have the 75.75.75.75 or 75.75.76.76 IP addresses. That is of course the nature of the AnyCast system, you will connect to the closest server that is available to answer your query, and if the closest server is busy, you will get the next closest, and ...--History does not long entrust the care of freedom to the weak or the timid.-- Dwight D. Eisenhower

I thought about explaining the difference between a DNS proxy and a DNS forwarder, but I figured that too many eyes would turn glassy. --History does not long entrust the care of freedom to the weak or the timid.-- Dwight D. Eisenhower

Only someone with access to your router and your connected devices can answer that question.

If your router is getting the DNS server information from Comcast's DHCP servers, and the devices connected to your router are using the router's DHCP server (and if the router is acting as a DNS forwarder if that is to where the DNS server entries in the connected devices point), then most likely you are using Comcast's DNSSEC servers.

You however, are the only one who can verify that. Look at your router's configuration, and at the TCPIP configuration of your connected devices, and you will have the answer.

Here is a sample of what to look for (from my own equipment):

The only things that may not be readily apparent from the above information is that the IP address 192.168.9.2 belongs to my Windows server, and its DNS server simply forwards to the Comcast DNSSEC servers the same as the two routers do. Also I do not use DHCP on the Netgear router's WAN because I have a static IP block from Comcast, but pointing it to the SMC router's gateway accomplishes the same thing since that makes it use the SMC router's DNS forwarding to the Comcast DNSSEC servers).

Here is an image of my current network to help clarify the above information (which is from the XP workstation in the lower right corner):

--History does not long entrust the care of freedom to the weak or the timid.-- Dwight D. Eisenhower

It doesn't even look likely connection to the modem is receiving the dnssec servers. Looks like the old DNA servers how could this be I thought they rolled it out to everyone

Just because you don't see 75.75.75.75 and 75.75.76.76 showing up as the DHCP supplied DNS server IP addresses, that does not mean that you are not using the Comcast DNSSEC servers. Those two IP addresses are simply the AnyCast gateway IP addresses, the actual DNS servers are still in many cases the same IP addresses that were in use prior to Comcast's official announcement that the DNSSEC rollout was complete.

The screen shot below from my Comcast SMC gateway shows that I am not being supplied the 75.75.x.x DNS server IP addresses either, but the IP addresses shown are nonetheless Comcast DNSSEC server IP addresses. How do I know? I ran the DNS Nameserver Spoofability Test (that I previously suggested that you use) and that verified that I was using Comcast DNSSEC servers.

The GRC DNS Benchmark Test can also be configured to test for DNSSEC compliance, and the screen shot below shows that the two 68.87.x.x IP addresses (the ones in my SMC modem/router) and the 75.75.x.x IP addresses are DNSSEC servers (as is my local router at IP address 192.168.9.10 since it simply forwards to the 68.87.x.x servers that are programmed into the SMC modem/router).

If you really want to know the DNSSEC compliance status of the DNS servers you are using, run the above tests and find out. Another test that can verify DNSSEC compliance is the ICSI Netalyzer test.

If you really don't understand how to run the above mentioned tests (or don't understand the results), then post the DHCP supplied DNS server IP addresses that you are getting from Comcast, and I can do the test for you and interpret the results. There is absolutely no security risk to you from posting those IP addresses if that is why you have been hesitant to provide them.--History does not long entrust the care of freedom to the weak or the timid.-- Dwight D. Eisenhower